Is this at all secure??

pyro

I am making a PHP script that I need to password protect. Is it at all secure to do something like this???

$username = "test";
$password = "test";

then call it like this

if ($user == $username && $pwrd == $password)

<form method="get" action="index.php">
  <table>
    <tr><td>Username:</td><td>&nbsp;</td><td><input type="text" name="user"></td></tr>
    <tr><td>Password:</td><td>&nbsp;</td><td><input type="password" name="pwrd"></td></tr>
    <tr><td colspan="3" align="center"><input type="submit" value=" Submit "></td></tr>
  </table>
</form>

ereptur

Using hard-coded usernames and passwords is never secure. It's best to use HTTP authentication or store user info in a mysql database and compare the entered vales for the ones in the database.

pyro

Well, I don't know how to use MySQL databases yet...I'm working on it. 🙂 Is there any simple way to add a fair level of security?

mikeatrpi

Hardcoded passwords inside your index.php won't be readable by users on the web. However, if you're on a shared server, depending on the permissions scheme other folks hosted on the same server might be able to view index.php's source code. That's the main concern [in depth- on most hosts, PHP runs as the same user for everyone. Therefore, you might be able to use PHP to open other people's source files even if you couldn't do it on the command line].

If the host uses Apache, google for .htaccess files.

pyro

Originally posted by mikeatrpi
Hardcoded passwords inside your index.php won't be readable by users on the web.

That's mostly what I wanted to know. It doesn't have to be perfect.

I am familiar with .htaccess, but for this perticular project, would rather not use it.

Thanks for you help. 🙂

NoFear

Why don't you use an encryption function such as crypt(), then store it in a file. It'd be better than nothing.

Oh yeah, here's a question for the security buffs...

How can PHP's source code be read from the internet? I thought php was server-side only? Nobody should be able to get at, right? Wouldn't this mean that they couldn't get at the files, either?

I don't know much about security with PHP, and I was hoping that somebody would give me a quick little lesson here.

pyro

Originally posted by NoFear
Why don't you use an encryption function such as crypt(), then store it in a file. It'd be better than nothing.

With crypt() I thought you could only encrypt, and not decrypt, so what good is it??

mikeatrpi

That post about crypt() sparked an idea. Write a page like this:

echo 'User: ' . md5('desiredusername');
echo '<br>Password: ' . md5('password');

Run it, save the output, and delete it. Then compare like this:

if(md5($password) == OUTPUT_FROM_ABOVE && md5($username) == OUTPUT_FROM_ABOVE) {
echo 'Authenticated!';
}

Because md5 is a one way algorithm, even if someone opened your file they would only see the md5 coded strings.

mikeatrpi

NoFear, try to use fopen() on your server as follows:

fopen('/path/to/someone/elses/phpfile.php');

See if it lets you open and read the file. Then you can output the contents to the screen and you've got their source. No one can read php source from the internet since all http requests go through the php parser for all php files. Be careful using .inc files; sometimes web browsers don't interpret .inc files as php and thus they're treated like text and can be downloaded. For all php, it is best to save code in files with the .php extension.

file.php
file.inc => file.inc.php
file.conf => file.conf.php

lobobr

Just one thing to add here:

You could easily do the md5() comparision, so you see if the password entered is correct, but you'll never be able to do something like a "lost password" function with it, because you can't decrypt it.

Regards,

NoFear

Originally posted by pyro
With crypt() I thought you could only encrypt, and not decrypt, so what good is it??

Yes, that's correct, but if you also crypt the information when it comes in, then compare it, you're comparing crypt($enteredvariable) with $storedvariable

pyro

Yeah, I noticed that. It works great. I was just wondering, is it (reasonably) possible to decrypt it?

NoFear

Originally posted by pyro
Yeah, I noticed that. It works great. I was just wondering, is it (reasonably) possible to decrypt it?

Hasn't happened yet. Possible, yes. Will it ever happen? Most likely, but when it has, something better will be available.

actually, md5() is probably your best bet for encrypting.

pyro

Good, it's nice that it is so easy to provide a good level of security. Thanks a lot, man.

KillerCheeto

MD5 Encryption is a 'one-way' cryptic algorithm. Meaning that the result of encrypting a string doesn't contain any real values for decrypting. So, it's IMPOSSIBLE to decrypt an MD5 encrypted string. 😃

Happy scripting!

PyroX

Also notable is that md5 is a multi platform standard.

All kinds of protocals use it to transfer data.

Unix/Linux Passwords, MSN Messenger, ect.

There is a method you could use to get the password, it is grinding, or brute forcing the password. But that would take weeks and a huge archive of dictionary files in most cases.

And as for fopen('/path/to/someone/elses/phpfile.php'); , this is a huge problem you should think about when storing ANY sensative information.